View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0002061 | libmicrohttpd | digest authentication (HTTP) | public | 2012-01-06 16:26 | 2012-01-23 14:21 |
| Reporter | tclaveirole | Assigned To | Christian Grothoff | ||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | closed | Resolution | fixed | ||
| Product Version | 0.9.17 | ||||
| Target Version | 0.9.18 | Fixed in Version | 0.9.18 | ||
| Summary | 0002061: digest authentication expect nonce count in base 10, RFC says base is 16 | ||||
| Description | Hello, I found a bug with libmicrohttpd's digest authentication. In digestauth.c, line 554, in MHD_digest_auth_check(), the call to strtoul() uses base 10 to parse the nonce counter value from the HTTP Authorization header (nc=...). However, RFC 2617 states one should use base 16 (section 3.2.2, The Authorization Request Header). This is clear from the grammar, and the description for nonce-count clearly states: "The nc-value is the hexadecimal count of the number of requests [...]" I did some tests using libcurl, and libcurl indeed uses hexadecimal values. When the counter reaches 10, valid authentication requests get rejected because MHD_digest_auth_check() cannot parse the nonce counter correctly (the value being 0000000a, and not 00000010). | ||||
| Steps To Reproduce | Setup a minimalist HTTP server with digest authentication using libmicrohttpd. Make ten valid requests to the server using the same nonce (thus increasing the nonce counter from 1 to 10). Even though it is valid, the server replies to the last request with 401 Unauthorized. | ||||
| Additional Information | Attached is a (trivial) patch to solve the issue. | ||||
| Tags | No tags attached. | ||||
| Attached Files | base16-nonce-counter.patch (557 bytes)
Index: src/daemon/digestauth.c
===================================================================
--- src/daemon/digestauth.c (revision 19034)
+++ src/daemon/digestauth.c (working copy)
@@ -551,7 +551,7 @@
(0 == lookup_sub_value(nc, sizeof (nc), header, "nc")) ||
(0 == lookup_sub_value(response, sizeof (response), header, "response")) )
return MHD_NO;
- nci = strtoul (nc, &end, 10);
+ nci = strtoul (nc, &end, 16);
if ( ('\0' != *end) ||
( (LONG_MAX == nci) && (errno == ERANGE) ) )
return MHD_NO; /* invalid nonce */
| ||||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2012-01-06 16:26 | tclaveirole | New Issue | |
| 2012-01-06 16:26 | tclaveirole | File Added: base16-nonce-counter.patch | |
| 2012-01-07 14:37 | Christian Grothoff | Assigned To | => Christian Grothoff |
| 2012-01-07 14:37 | Christian Grothoff | Status | new => assigned |
| 2012-01-07 17:33 | Christian Grothoff | Note Added: 0005252 | |
| 2012-01-07 17:33 | Christian Grothoff | Status | assigned => resolved |
| 2012-01-07 17:33 | Christian Grothoff | Fixed in Version | => 0.9.18 |
| 2012-01-07 17:33 | Christian Grothoff | Resolution | open => fixed |
| 2012-01-07 17:47 | Christian Grothoff | Target Version | => 0.9.18 |
| 2012-01-23 14:21 | Christian Grothoff | Status | resolved => closed |
| 2013-05-06 12:52 | Christian Grothoff | Category | digest authentication => digest authentication (HTTP) |
